Mercurial > hg > nginx-vendor-1-0
comparison src/event/ngx_event_openssl.c @ 510:24b676623d4f NGINX_0_8_7
nginx 0.8.7
*) Change: minimum supported OpenSSL version is 0.9.7.
*) Change: the "ask" parameter of the "ssl_verify_client" directive was
changed to the "optional" parameter and now it checks a client
certificate if it was offered.
Thanks to Brice Figureau.
*) Feature: the $ssl_client_verify variable.
Thanks to Brice Figureau.
*) Feature: the "ssl_crl" directive.
Thanks to Brice Figureau.
*) Feature: the "proxy" parameter of the "geo" directive.
*) Feature: the "image_filter" directive supports variables for setting
size.
*) Bugfix: the $ssl_client_cert variable usage corrupted memory; the
bug had appeared in 0.7.7.
Thanks to Sergey Zhuravlev.
*) Bugfix: "proxy_pass_header" and "fastcgi_pass_header" directives did
not pass to a client the "X-Accel-Redirect", "X-Accel-Limit-Rate",
"X-Accel-Buffering", and "X-Accel-Charset" lines from backend
response header.
Thanks to Maxim Dounin.
*) Bugfix: in handling "Last-Modified" and "Accept-Ranges" backend
response header lines; the bug had appeared in 0.7.44.
Thanks to Maxim Dounin.
*) Bugfix: the "[alert] zero size buf" error if subrequest returns an
empty response; the bug had appeared in 0.8.5.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Mon, 27 Jul 2009 00:00:00 +0400 |
parents | f39b9e29530d |
children | 4c5d2c627a6c |
comparison
equal
deleted
inserted
replaced
509:41f4e459ace8 | 510:24b676623d4f |
---|---|
95 | 95 |
96 | 96 |
97 ngx_int_t | 97 ngx_int_t |
98 ngx_ssl_init(ngx_log_t *log) | 98 ngx_ssl_init(ngx_log_t *log) |
99 { | 99 { |
100 #if OPENSSL_VERSION_NUMBER >= 0x00907000 | |
101 OPENSSL_config(NULL); | 100 OPENSSL_config(NULL); |
102 #endif | |
103 | 101 |
104 SSL_library_init(); | 102 SSL_library_init(); |
105 SSL_load_error_strings(); | 103 SSL_load_error_strings(); |
106 | 104 |
107 #if (NGX_SSL_ENGINE) | |
108 ENGINE_load_builtin_engines(); | 105 ENGINE_load_builtin_engines(); |
109 #endif | |
110 | 106 |
111 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); | 107 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
112 | 108 |
113 if (ngx_ssl_connection_index == -1) { | 109 if (ngx_ssl_connection_index == -1) { |
114 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); | 110 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
167 | 163 |
168 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); | 164 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
169 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); | 165 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); |
170 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); | 166 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); |
171 | 167 |
172 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | |
173 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | 168 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
174 #endif | |
175 | 169 |
176 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); | 170 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
177 | 171 |
178 if (ngx_ssl_protocols[protocols >> 1] != 0) { | 172 if (ngx_ssl_protocols[protocols >> 1] != 0) { |
179 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 173 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); |
260 */ | 254 */ |
261 | 255 |
262 ERR_clear_error(); | 256 ERR_clear_error(); |
263 | 257 |
264 SSL_CTX_set_client_CA_list(ssl->ctx, list); | 258 SSL_CTX_set_client_CA_list(ssl->ctx, list); |
259 | |
260 return NGX_OK; | |
261 } | |
262 | |
263 | |
264 ngx_int_t | |
265 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) | |
266 { | |
267 X509_STORE *store; | |
268 X509_LOOKUP *lookup; | |
269 | |
270 if (crl->len == 0) { | |
271 return NGX_OK; | |
272 } | |
273 | |
274 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { | |
275 return NGX_ERROR; | |
276 } | |
277 | |
278 store = SSL_CTX_get_cert_store(ssl->ctx); | |
279 | |
280 if (store == NULL) { | |
281 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
282 "SSL_CTX_get_cert_store() failed"); | |
283 return NGX_ERROR; | |
284 } | |
285 | |
286 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); | |
287 | |
288 if (lookup == NULL) { | |
289 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
290 "X509_STORE_add_lookup() failed"); | |
291 return NGX_ERROR; | |
292 } | |
293 | |
294 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) | |
295 == 0) | |
296 { | |
297 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
298 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); | |
299 return NGX_ERROR; | |
300 } | |
301 | |
302 X509_STORE_set_flags(store, | |
303 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
265 | 304 |
266 return NGX_OK; | 305 return NGX_OK; |
267 } | 306 } |
268 | 307 |
269 | 308 |
1199 if (sslerr == SSL_ERROR_SYSCALL) { | 1238 if (sslerr == SSL_ERROR_SYSCALL) { |
1200 | 1239 |
1201 if (err == NGX_ECONNRESET | 1240 if (err == NGX_ECONNRESET |
1202 || err == NGX_EPIPE | 1241 || err == NGX_EPIPE |
1203 || err == NGX_ENOTCONN | 1242 || err == NGX_ENOTCONN |
1204 #if !(NGX_CRIT_ETIMEDOUT) | |
1205 || err == NGX_ETIMEDOUT | 1243 || err == NGX_ETIMEDOUT |
1206 #endif | |
1207 || err == NGX_ECONNREFUSED | 1244 || err == NGX_ECONNREFUSED |
1208 || err == NGX_ENETDOWN | 1245 || err == NGX_ENETDOWN |
1209 || err == NGX_ENETUNREACH | 1246 || err == NGX_ENETUNREACH |
1210 || err == NGX_EHOSTDOWN | 1247 || err == NGX_EHOSTDOWN |
1211 || err == NGX_EHOSTUNREACH) | 1248 || err == NGX_EHOSTUNREACH) |
1972 return NGX_ERROR; | 2009 return NGX_ERROR; |
1973 } | 2010 } |
1974 | 2011 |
1975 p = s->data; | 2012 p = s->data; |
1976 | 2013 |
1977 for (i = 0; i < len; i++) { | 2014 for (i = 0; i < cert.len - 1; i++) { |
1978 *p++ = cert.data[i]; | 2015 *p++ = cert.data[i]; |
1979 if (cert.data[i] == LF) { | 2016 if (cert.data[i] == LF) { |
1980 *p++ = '\t'; | 2017 *p++ = '\t'; |
1981 } | 2018 } |
1982 } | 2019 } |
2106 | 2143 |
2107 return NGX_OK; | 2144 return NGX_OK; |
2108 } | 2145 } |
2109 | 2146 |
2110 | 2147 |
2148 ngx_int_t | |
2149 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
2150 { | |
2151 X509 *cert; | |
2152 | |
2153 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { | |
2154 s->len = sizeof("FAILED") - 1; | |
2155 s->data = (u_char *) "FAILED"; | |
2156 | |
2157 return NGX_OK; | |
2158 } | |
2159 | |
2160 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2161 | |
2162 if (cert) { | |
2163 s->len = sizeof("SUCCESS") - 1; | |
2164 s->data = (u_char *) "SUCCESS"; | |
2165 | |
2166 } else { | |
2167 s->len = sizeof("NONE") - 1; | |
2168 s->data = (u_char *) "NONE"; | |
2169 } | |
2170 | |
2171 X509_free(cert); | |
2172 | |
2173 return NGX_OK; | |
2174 } | |
2175 | |
2176 | |
2111 static void * | 2177 static void * |
2112 ngx_openssl_create_conf(ngx_cycle_t *cycle) | 2178 ngx_openssl_create_conf(ngx_cycle_t *cycle) |
2113 { | 2179 { |
2114 ngx_openssl_conf_t *oscf; | 2180 ngx_openssl_conf_t *oscf; |
2115 | 2181 |
2129 | 2195 |
2130 | 2196 |
2131 static char * | 2197 static char * |
2132 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | 2198 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
2133 { | 2199 { |
2134 #if (NGX_SSL_ENGINE) | |
2135 ngx_openssl_conf_t *oscf = conf; | 2200 ngx_openssl_conf_t *oscf = conf; |
2136 | 2201 |
2137 ENGINE *engine; | 2202 ENGINE *engine; |
2138 ngx_str_t *value; | 2203 ngx_str_t *value; |
2139 | 2204 |
2164 } | 2229 } |
2165 | 2230 |
2166 ENGINE_free(engine); | 2231 ENGINE_free(engine); |
2167 | 2232 |
2168 return NGX_CONF_OK; | 2233 return NGX_CONF_OK; |
2169 | |
2170 #else | |
2171 | |
2172 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
2173 "\"ssl_engine\" directive is available only in " | |
2174 "OpenSSL 0.9.7 and higher,"); | |
2175 | |
2176 return NGX_CONF_ERROR; | |
2177 | |
2178 #endif | |
2179 } | 2234 } |
2180 | 2235 |
2181 | 2236 |
2182 static void | 2237 static void |
2183 ngx_openssl_exit(ngx_cycle_t *cycle) | 2238 ngx_openssl_exit(ngx_cycle_t *cycle) |
2184 { | 2239 { |
2185 #if (NGX_SSL_ENGINE) | |
2186 ENGINE_cleanup(); | 2240 ENGINE_cleanup(); |
2187 #endif | 2241 } |
2188 } |